Skip to content
/ laravel-api-key Public

API key authorization for Laravel with replay attack prevention

License

MIT license
5 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mxl/laravel-api-key

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
config
config
 
 
src
src
 
 
tests
tests
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 
phpunit.xml
phpunit.xml
 
 

Repository files navigation

laravel-api-key

Current version Monthly Downloads Total Downloads Build Status

API Key Authorization for Laravel with replay attack prevention

Installation

$ composer require mxl/laravel-api-key

How it works?

Both sides (i.e. client and server) have a secret key. Client calculates a token - hash value for concatenated secret key and current timestamp. The Token and the timestamp are sent with request to server as separate HTTP headers. Server recalculates hash value and validates the token by comparing it with this value and by checking that received timestamp belongs to current time ± window interval.

Configuration

Package uses default configuration from vendor/laravel-api-key/config/apiKey.php:

<?php

return [
    'secret' => env('API_KEY_SECRET'),
    'hash' => env('API_KEY_HASH', 'md5'),
    'timestampHeader' => env('API_KEY_TIMESTAMP_HEADER', 'X-Timestamp'),
    'tokenHeader' => env('API_KEY_TOKEN_HEADER', 'X-Authorization'),
    'window' => env('API_KEY_WINDOW', 30),
];

To change it set environment variables mentioned in this configuration or copy it to your project with:

$ php artisan vendor:publish --provider="MichaelLedin\LaravelApiKey\ApiKeyServiceProvider" --tag=config

and modify config/apiKey.php file.

Notice! If you use php artisan config:cache or php artisan optimize command then you have to publish configuration as described above otherwise env() function will return null for all environment variables. Read more.

The configuration has following parameters:

  • secret - secret key that is known by client and server;
  • hash - an algorithm used to create hash value from secret key and timestamp; for a list of supported algorithms check an output of hash_algos function;
  • timestampHeader - HTTP header used to pass a timestamp;
  • tokenHeader - HTTP header used to pass a token;
  • window - window interval, in seconds;

Usage

Assign the middleware to routes using middleware class name:

use \MichaelLedin\LaravelApiKey\AuthorizeApiKey;

Route::get('admin/profile', function () {
    //
})->middleware(AuthorizeApiKey::class);

or an alias:

Route::get('admin/profile', function () {
    //
})->middleware('apiKey');

Maintainers

Other useful Laravel packages from the author

License

See the LICENSE file for details.

About

API key authorization for Laravel with replay attack prevention

Resources

Readme

License

MIT license
Activity

Stars

5 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

2 tags

Packages

No packages published

Languages